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Abstract 

We consider the problem of finding a sparse multiple of a polynomial. 
Given / £ F[x] of degree d over a field F, and a desired sparsity t, our 
goal is to determine if there exists a multiple ft £ F[i] of / such that h 
has at most t non-zero terms, and if so, to find such an h. When F = Q 
and t is constant, we give a polynomial-time algorithm in d and the size 
of coefficients in h. When F is a finite field, we show that the problem is 
at least as hard as determining the multiplicative order of elements in an 
extension field of F (a problem thought to have complexity similar to that 
of factoring integers), and this lower bound is tight when t = 2. 

1 Introduction 

Let F be a field, which will later be specified cither to be the rational numbers 
(Q) or a finite field with q elements (F 9 ). We say a polynomial h € F[x] is t- 
sparse (or has sparsity t) if it has at most t nonzero coefficients in the standard 
power basis; that is, h can be written in the form 

h = h x x dl + h 2 x d2 + . . . + h t x dt for hi, . . . ,h t € F and d x , . . . ,d t € N. (1.1) 

Sparse polynomials have a compact representation as a sequence of coefficient- 
degree pairs (hi, di), . . . , (ht, dt), which allow representation and manipulation 
of very high degree polynomials. Let / g F[x] have degree d. We examine 
the computation of a ^-sparse multiple of /. That is, we wish to determine if 
there exist g,h £ F[x] such that fg = h and h has prescribed sparsity t, and 
if so, to find such an h. We do not attempt to find g, as it may have a super- 
polynomial number of terms, even though h has a compact representation (see 
Theorem 3.7). 

Sparse multiples over finite fields have cryptographic applications. Their 
computation is used in correlation attacks on LFSR-based stream ciphers 
(El Aimani and von zur Gathen, 2007; Didier and Laigle-Chapuy, 2007). The 
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security of the TCHo cryptosystem is also based on the conjectured computa- 
tional hardness of sparsest multiple computation over ¥2[x] (Aumasson et al., 
2007) ; our results provide further evidence that this is in fact a computationally 
difficult problem. 

Sparse multiples can facilitate efficient arithmetic in extension fields (Brent 
and Zimmcrmann, 2003) and in designing interleavers for error-correcting codes 
(Sadjadpour et al., 200f ). The linear algebra formulation in Section 2 relates to 
finding the minimum distance of a binary linear code (Bcrlckamp ct al., f978; 
Vardy, 1997) as well as finding "sparsifications" of linear systems (Egner and 
Minkwitz, 1998). 

One of our original motivations was to understand the complexity of sparse 
polynomial implicitization over Q or K: Given a curve represented explicitly as 
a set of parametric rational functions, find a sparse polynomial whose zero set 
contains all points on the curve (see, e.g., Emiris and Kotsireas (2005)). This 
is a useful operation in computer aided geometric design for facilitating various 
operations on the curve, and work here can be thought of as a univariate version 
of this problem. 

We often consider the related problem of finding a sparse annihilator for a 
set of points — that is, a sparse polynomial with given roots. This is exactly 
equivalent to our problem when the input polynomial / is squarefree, and in 
the binomial case corresponds to asking whether a given root can be written as 
a surd. This is also the problem we are really interested in regarding impliciti- 
zation, and allows us to build on significant literature from the number theory 
community on the roots of sparse polynomials. 

In general, we assume that the desired sparsity t is a constant. This seems 
reasonable given that over a finite field, even for t = 2, the problem is probably 
computationally hard (Theorem 5.1). In fact, we have reason to conjecture that 
the problem is intractable over Q or ¥ q when t is a parameter. Our algorithms 
are exponential in t but polynomial in the other input parameters when t is 
constant. 

Over Q[x], the analysis must consider coefficient size, and we will count 
machine word operations in our algorithms to account for coefficient growth. We 
follow the conventions of Lenstra (1999) and define the height of a polynomial 
as follows. Let / £ Q[x] and r £ Q the least positive rational number such that 
rf £ Z[x\. If rf = ^2lii a i xei with each a\ £ Z, then the height of /, written 
U{f), is max, |a,|. 

We examine variants of the sparse multiple problem over ¥ q and Q. Since 
every polynomial in ¥ q has a 2-sparse multiple of high degree, given / € ¥ q [x] 
and n £ N we consider the problem of finding a i-sparse multiple of / with 
degree at most n. For input / £ Q[x] of degree d, we consider algorithms which 
seek i-sparse multiples of height bounded above by an additional input value 
ceN. We present algorithms requiring time polynomial in d and log c. 

The remainder of the paper is structured as follows. 

In Section 2, we consider the straightforward linear algebra formulation of 
the sparse multiple problem. This is useful over Q[x] once a bound on the output 
degree is derived, and also allows us to bound the output size. In addition, it 
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connects our problems with related NP-complete coding theory problems. 

In Section 3 we consider the problem of finding the least-degree binomial 
multiple of a rational polynomial. A polynomial-time algorithm in the size of 
the input is given which completely resolves the question in this case. This 
works despite the fact that we show polynomials with binomial multiples whose 
degrees and heights are both exponential in the input size! 

In Section 4 we consider the more general problem of finding a t-sparse 
multiple of an input / £ Q[x}. Given a height bound c £ N we present an 
algorithm which requires polynomial time in deg / and log c, except in the very 
special case that / has both non-cyclotomic and repeated cyclotomic factors. 

Section 5 shows that, even for t = 2, finding a t-sparse multiple of a polyno- 
mial / £ F q [x] is at least as hard as finding multiplicative orders in an extension 
of F q (a problem thought to be computationally difficult). This lower bound 
is shown to be tight for t — 2 due to an algorithm for computing binomial 
multiples that uses order finding. 

Open questions and avenues for future research are discussed in Section 6. 

An extended abstract of some of this work appears in Gicsbrccht, Roche, 
and Tilak (2010). Some of this work and further explorations, also appears in 
the Masters thesis of Tilak (2010). 

2 Linear algebra formulation 

The sparsest multiple problem can be formulated using linear algebra. This 
requires specifying bounds on degree, height and sparsity; later some of these 
parameters will be otherwise determined. This approach also highlights the 
connection to some problems from coding theory. We exhibit a randomized 
algorithm for finding a i-sparse multiple h of a degree-d polynomial / £ Q[x], 
given bounds c and n on the height and degree of the multiple respectively. 
When t is a constant, the algorithm runs in time polynomial in n and log"H(/) 
and returns the desired output with high probability. We also conjecture the 
intractability of some of these problems, based on similar problems in coding 
theory. Finally, we show that the construction of Vardy (1997) can be used 
to show the problem of finding the sparsest vector in an integer lattice is NP- 
complcte, which was conjectured by Egncr and Minkwitz (1998). 

Let R be a principal ideal domain, with f £ R[x] of degree d and n £ N given. 
Suppose g,h £ R[x] have degrees n — d and n respectively, with / = J^g/iX*, 
g = Ylo" 9 ixl an d h = So hiX 1 . The coefficients in the equation fg = h satisfy 
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the following linear system: 



fa 

fi fo 



fd 



fl 



fd 



fo 

fl 
fd 



9i 



9n-d 



h 
hi 



h„ 



(2.1) 



Thus, a multiple of / of degree at most n and sparsity at most t corresponds 
to a vector with at most t nonzero entries (i.e., a ^-sparse vector) in the linear 
span of Af iU . 

If / G R[x] is squarefree and has roots {ai, . . . , ay}, possibly over a finite 
extension of R, then the following also holds: 



1 <X\ 

1 a 2 
1 a d 



ho 
hi 



0. 



(2.2) 



A n (ai,...,ad) 

Thus t-sparse multiples of a squarefree / correspond to i-sparse R- vectors in the 
nullspace of A n (pt\, . . . , ay). 



2.1 Finding short vectors in lattices 

This technical section presents a randomized, polynomial-time algorithm to find 
the shortest vector in a constant-dimensional lattice. Our algorithm is a 
modification of Ajtai et al. (2001), based on the presentation by Regev (2004), 
adapted to the case of infinity norm. Since this the techniques are essentially 
drawn from the literature, and while necessary, are not the central thrust of this 
current paper, full details are left to Appendix A. 

Algorithm 2.1 below starts by computing a rough approximation of the short- 
est I2 vector using LLL (Lenstra, Lcnstra, and Lovasz, 1982), and then scales the 
lattice accordingly. The main while loop then consists of two phases: sampling 
and sieving. First, a large number of random vectors {xi, . . . , x m } are sampled 
in an appropriately-sized ball around the origin. We take these modulo the basis 
B to obtain vectors {y\, . . . , y m } with the property that each Xi — yi is in the 
lattice of B. Next, we use a series of sieving steps in the while loop in Step 13 
to find a small subset of the %ji vectors that are close to every other vector and 
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use these as "pivots" . The pivots are discarded from the set, but all remaining 
lattice vectors Xi — yi are made smaller. After this, the set W~ l contains most 
lattice vectors whose I2 length is close to 7. 



Algorithm 2.1: Shortest l x vector in a lattice 



Input: Basis U £ Z nxd for an integer lattice C of dimension n and size 
d < n 

Output: Shortest vector in C 

1 A <— approximate ^-shortest vector in C from Lenstra et al. (1982) 

2 B <- (1/ ||A|| 2 ) • U, stored as a list of vectors [61, . . . , bd] 

3 for k £ {1,2, . . . ,2n} do 
B 4r- 1.5 ■ B 
r <- nmaxi ||6i|| 2 
7^3/2 

while 7 < 3y/n + 1 do 
m<- r2( 7+ r io s^) rl logr 
Sample points {x\, . . . , a 

B„(0,7), the n-dimensional ball of radius 7 centered around 
S«-{l,2,...,m} 

Hi <— Xi mod V(B) for every i £ S, V(B) being the parallelogram 
of B defined in the proof of Lemma A. 2 
r <- r a 

while r > 27 + 1 do 



for i £ S do 

if 3j £ J such that \\yj — yi\\ < r/2 then r)i j 
else J «- J U {i} 

S<- S\J 



,} uniformly and independently from 



r/2- 



— y w for i £ S 



■ w) I i e S} 

w I € Ky and u 7^ w} 



r 7 <- {(x, 
7 <- 37/2 

<— shortest vector in any W 7 



25 return shortest vector in {(|| A|| 2 /l-5 fe ) • | fc = 1, 2, . . . , 71} 



If we are fortunate enough that the shortest I2 vector in the lattice with basis 
B set on Step 4 has length between 2 and 3, then we know that the shortest 
vector in this lattice must have I2 length between 2 and 3-y/n. By iterating 7 
in the appropriate range, we will encounter this shortest vector and set it to 
Vf. on Step 24 with high probability. We prove, given our approximate starting 
point from LLL, we will be in this "fortunate" situation in at least one iteration 
through the outer for loop. 
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The correctness and efficiency of the algorithm is given by the following 
theorem, whose proof we defer to Appendix A. 

Theorem 2.1. Given a lattice basis U E Z nxd , Algorithm 2.1 returns the 
shortest Zoo vector in the lattice of U, with probability at least 1 — l/2°( n > , using 
2 0(nio g n) . \\U\\ 0(1) bit operations. 

2.2 Finding a sparse multiple of bounded height and degree 

We now present an algorithm to find the sparsest bounded-degree, bounded- 
height multiple h € Q[x] of an input / € Q[x]. Since V. is invariant under 
scaling, we may assume that f,g,h£ Z[x] . 

The basic idea is the following. Having fixed the positions at which the 
multiple h has nonzero coefficients, finding a low-height multiple is reduced to 
finding the nonzero vector with smallest Zoo norm in the image of a small lattice. 

Let I = {i u . . . , i t } be a i-subset of {0, ... , n}, and A\ n € T^-t+^{n-d+i) 

the matrix A^ n with rows ii, . . . , it removed. Denote by Bj n £ Z* x ( n - rf+1 ) the 
matrix consisting of the removed rows i\,. . . ,i t of the matrix Af_ n . Existence 
of a i-sparse multiple h — h^x* 1 + hi 2 x t2 + ■ ■ ■ + hi t x lt of input / is equivalent to 
the existence of a vector v g such that A 1 ^ n -v g = and Bj n -v g — [h^ , . . . , hi t ] T ' . 

Now let Cj n be a matrix whose columns span the nullspace of the matrix 
A 1 ^ n . Since A^ n has full column rank, the nullspace of A 1 ^ n has dimension s < t 

and C) n G Z<"- d+1 ) xs . Thus, a t-sparse multiple h = h n x l1 H h h lt x li of / 

exists if and only if there exists au£Z s such that 

B I Ln -C I Ln -v=[h^...,h H ] T - (2.3) 

Note that Bj n -Cj n e Z* x s . Our approach, outlined in Algorithm 2.2, is to gen- 
erate this lattice and search for a small, i-sparse vector in it. For completeness, 
we first define the subset ordering used in the search. 

Definition 2.2. Let a = (oi, 02, ... , ak) and b = (pi, b%, . . . , bk) be two fc-tuples. 
a precedes b in reverse lexicographical order if and only if there exists an index 
i with 1 < i < k such that a, < 6,-, and for all j with i < j < k, a rj = bj. 

The following lemma shows how to compute Step 5 efficiently using the 
Smith normal form. 

Lemma 2.3. Given T € Z kxi with k > £ and nullspace of dimension s, we can 
compute a V G Z ixs such that the image of V equals the nullspace of T . The 
algorithm requires 0~(k£ 2 slog \\T\\) bit operations (ignoring logarithmic factors). 

Proof. First compute the Smith normal form of the matrix: T = PSQ for 
diagonal matrix S — diag(<5i, . . . , <^_ s , 0, . . . , 0) £ z kxe and unimodular matri- 
ces P € Z kxk and Q e Z £x£ . Storjohann (2000) gives efficient algorithms to 
compute such a P, S, Q with 0~(H 2 slog ||T||) bit operations. 

Then since any vector v in the nullspace of T satisfies PSQv = 0, SQv = 
also and v is in the nullspace of SQ. Next compute the inverse of Q; this can 
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Algorithm 2.2: Bounded-Degree Bounded-Height Sparsest Multiple 
Input: / € Z[x] and t, n, c € N 

Output: A i-sparse multiple h £ 1\x] of / with deg(h) < n and 
H(h) < c, or "NONE" 

1 for s = 2, 3, . . . , t do 

2 foreach s-subset I = (0, «2) • • • f is) of {0, 1, . . . , n}, 
sorted in reverse lexicographic order, do 

Compute matrices Aj n and Bj n as defined above 



if Aj n does not have full column rank then 
Compute matrix Cj n , a kernel basis for Aj n 
h shortest l^ vector in the lattice of Bj n ■ 
Algorithm 2.1 

if ||h|| < c then return hi + h2X t2 + • ■ ■ 4 



Cj n from 



tux* 



8 return "NONE" 



be accomplished with the same number of bit operations since I < k. Define V 
to be the last s columns of Q~ x . Due to the diagonal structure of S, V must 
be a nullspace basis for SQ, and furthermore V has integer entries since Q is 
unimodular. □ 

The correctness and efficiency of Algorithm 2.2 can then be summarized as 
follows. 

Theorem 2.4. Algorithm 2.2 correctly computes a t-sparse multiple h of f 
of degree n and height c, if it exists, with (log"H(/))° (1) • n° {t) ■ 2°( tlog *) bit 
operations. The sparsity s of h is minimal over all multiples with degree less 
than n and height less than c, and the degree of h is minimal over all such 
s-sparse multiples. 

Proof. The total number of iterations of the for loops is Yls=2 < n *- 

Computing the rank of Aj n , and computing the matrices Bj n and Cj n can 
each be done in polynomial time by Lemma 2.3. The size of the entries of Cj n 
is bounded by some polynomial (log'H(/i) + n)°^K The computation of the 
shortest 1^ vector can be done using 2°(* log< ) operations on numbers of length 
(log -HO) + by Theorem 2.1. 

The minimality of sparsity and degree comes from the ordering of the for 
loops. Specifically, the selection of subsets in Step 2 is performed in reverse 
lexicographic order, so that column subsets / corresponding to lower degrees are 
always searched first. □ 

2.3 Relationship to NP-hard problems 

Note that the above algorithms require time exponential in t, and are only 
polynomial-time for constant t. It is natural to ask whether there are efficient 
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algorithms which require time polynomial in t. We conjecture this problem 
is probably NP-complete, and point out two results of Vardy (1997) and Gu- 
ruswami and Vardy (2005) on related problems that are known to be hard. 

The formulation (2.2) seeks the sparsest vector in the nullspace of a (struc- 
tured) matrix. For an unstructured matrix over finite fields, this is the problem 
of finding the minimum distance of a linear code, shown by Vardy (1997) to be 
NP-complete. The same problem over integers translates into finding the spars- 
est vector in an integer lattice. It was posed as an open problem in Egner and 
Minkwitz (1998). Techniques similar to Vardy (1997) prove that this problem 
is also NP-complete over the integers, a fact proved in Theorem 2.5. 

Of course, the problem may be easier for structured matrices as in (2.2) 
However, Guruswami and Vardy (2005) show that maximum likelihood decoding 
of cyclic codes, which seeks sparse solutions to systems of equations of similar 
structure to (2.2), is also NP complete. They do require the freedom to choose 
a right-hand-side vector, whereas we insist on a sparse vector in the nullspace. 
While these two results certainly do not prove that the bounded-degree sparsest 
multiple problem is NP-complete, they support our conjecture that it is. 

Theorem 2.5. The problem SparseLatticeVector of computing the vector with 
the least Hamming weight in an integer lattice specified by its basis is NP- 
complete. 

Proof. To see that the problem is in NP, a nondeterministic machine can just 
guess the positions at which the lattice vector is nonzero. The rest is a standard 
linear algebra problem. 

We now show NP-hardness by giving a Cook-reduction from the problem 
Subset Sum, a well-known NP-complete problem. 

We note first the standard formulation of Subset Sum: Given distinct integers 
{z\ , . . . , z n }, a target integer t and a positive integer w < n, is there a non-empty 
subset S C {1, . . . , n} of size exactly w such that such that ^2 ieS = t? 

If w = n, the problem can be solved by comparing the sum with t. 

Therefore, we can assume that w < n. Given an instance {zi, . . . , z n } of subset 
sum, to check if there is a subset of size w < n summing to t, the reduction first 
creates the following matrix: 



M w = 



1 



1 

Z2 



v w — l w — 1 



1 



t 



(2.4) 



Lemma 2.6 (stated and proved below) shows that M w has a null vector 
of sparsity at most w + 1 if and only if z it + Zi 2 + ■ ■ • + z iw = t for some 
ii < i 2 < . ■ ■ < i w - 

To create an instance of SparseLatticeVector, the reduction creates a matrix 
N such that the columns of N span the kernel of M via Z-linear combinations 
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(see Lemma 2.3). The instance (£, w), where C is the column lattice C of N, is 
fed to an algorithm claiming to solve the Sparse Vector Problem. □ 

Lemma 2.6. The matrix M w from equation (2.4) has a null vector of Hamming 
weight w + 1 if and only if z^ + Zi 2 + • • • + Zi w = t for some i\ < %i < . . . < i w . 

Proof. We will first prove that the sparsest null vector has weight at least (w+1). 
To see this, consider the submatrix formed by any set of w columns. (We 
can assume that the last column is included in this set since otherwise the 
submatrix has a Vandermonde minor of size w x w, and hence the columns are 
independent.) Since the principal minor of such a submatrix is a (w— 1) x (w— 1)- 
sized Vandermonde matrix, the rows are independent. On adding either of the 
last two rows, the row-rank only increases since the other rows do not contain 
a nonzero entry in the last coordinate. Hence the row-rank (and hence the 
column-rank) of this submatrix is at least w, and hence the sparsest null vector 
of M w has weight at least (w + 1). 

Consider a (w + l)-sized subset of columns. If the last column is not in this 
set, the chosen columns form a Vandermonde matrix with nonzero determinant 
(since Zi are distinct). Therefore assume that the last column is among those 
chosen, the determinant of the resulting matrix can be expanded as: 



1 



1 

Zi... 



zf- 1 1 



= t 



1 



1 



1 



y w-2 
-il 



1 



jw-2 



The first of the matrices on the right-hand side is a Vandermonde matrix, 
whose determinant is well-known to be Y\ i <ik {zi k — Zy). The second ma- 
trix is a first-order alternant whose determinant is known to be (z il + z i2 + 
Zi . ) . Hence the determinant of the entire matrix is 
)Yii <i k ( z ik ~ z ij)- Since all the Zi are distinct, the 



(* 



- z. 



H ^2 llij<i k 

determinant vanishes if and only if the first term vanishes which holds when 
there exists a subset of {z%, 23, ... , z n } of size w summing to t. □ 



3 Binomial multiples over Q 

In this section we completely solve the problem of determining if there exists 
a binomial multiple of a rational input polynomial (i.e., a multiple of sparsity 
t = 2). That is, given input / e Q[x] of degree d, we determine if there exists 
a binomial multiple h — x m — a G Q[x] of /, and if so, find such an h with 
minimal degree. The constant coefficient a will be given as a pair (r, e) € Q x N 
representing r e € Q. The algorithm requires a number of bit operations which 
is polynomial in d and log"H(/). No a priori bounds on the degree or height 
of h are required. We show that m may be exponential in d, and logo may be 
exponential in log'H(f), and give a family of polynomials with these properties. 
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Algorithm 3.1: Lowest degree Binomial Multiple of a Rational Polyno- 

mial 

Input: / € Q[x] 

Output: The lowest degree binomial multiple h € Q[x] of /, or "NONE" 

1 Factor / into irreducible factors: / = x b /i/2 ■ ■ ■ f u 

2 if / is not squarefree then return "NONE" 

3 for i = 1, 2, 3, . . . , u do 

4 d, <r- deg fi 

5 rrii <— least k £ {di, dj + 1, . . . ,d» ■ ([3d, lnlnd,] + 7)} such that 

a; fc rem 

6 if no stjc/7 m.j is found then return "NONE'' 

7 else r, <— ir™ li rem /j 

8 r7i «— lcm(TOi, . . . , m u ) 

9 foreach 2- subset {i, j} C {1, . . . , u} do 

10 if |ri| m ' 7^ |rj| m * then return "NONE" 

n else if sign(r"^ m *) ^ sign(r™^ mj ) then m <— 2 • lcm(mi, . . . , m u ) 
12 return a: b (x m — r™^" 11 ), TTjitft rj and mjm\ given separately 



Algorithm 3.1 begins by factoring the given polynomial / € Q[x] into irre- 
ducible factors (using, e.g., the algorithm of Lenstra et al. (1982)). We then 
show how to find a binomial multiple of each irreducible factor, and finally 
provide a combining strategy for the different multiples. 

The following theorem of Risman (1976) characterizes binomial multiples of 
irreducible polynomials. Let 4>(n) be Euler's totient function, the number of 
positive integers less than or equal to n which are coprime to 77. 

Fact 3.1 (Risman (1976), Proposition 4, Corollary 2.2). Let / G Q[x] be ir- 
reducible of degree d. Suppose the least-degree binomial multiple of / (if one 
exists) is of degree m. Then there exist n,t£N with n | d and (f>(t) | d such that 
m = n ■ t. 

The following, easily derived from explicit bounds in Rosscr and Schoenfeld 
(1962), gives a polynomial bound on m. 

Lemma 3.2. For all integers n>2, 0( [377 In In 77] + 7) > n. 

Proof. Rosser and Schoenfeld (1962), Theorem 15, implies that for all n > 3 

0.56146-77 

> In In 77 + 1.40722' 

It is then easily derived by basic calculus that 

,,„ . . . 0.56146 • (3n log log n) 
0(377 log log 77) > lnln(3nloglogn) + L40722 > n 

for 77 > 24348. The inequality in the lemma statement is verified mechanically 
(say using Maple) for 2 < 77 < 24348. □ 
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Combining Fact 3.1 with Lemma 3.2, we obtain the following explicit up- 
per bound on the maximum degree of a binomial multiple of an irreducible 
polynomial. 

Theorem 3.3. Let f G Q[x] be irreducible of degree d. If a binomial multiple 
of f exists, and has minimal degree m, then m < d ■ ([3d In In d~\ + 7). 

Proof. By Fact 3.1, m — n ■ t such that n\d and cf>(t)\d. Define £(n) — 
|~3nlnlnn] +7, and define to be the smallest integer such that > 

n. From Lemma 3.2, we have that </>(£(n)) > n for n > 2. Hence, d > <p(t) > 
^~ 1 (t). Since £ is a non-decreasing function, d > £ _1 (t) implies that £(d) > t. 
Thus m = n-t< d ■ £(d) < d- ([3dlnlnd] + 7). □ 

The above theorem ensures that for an irreducible fi, Step 5 of Algorithm 3.1 
computes the least-degree binomial multiple x mi — ri if it exists, and otherwise 
correctly reports failure. It clearly runs in polynomial time. 

If / has any repeated factor, then it cannot have a binomial multiple (see 
Lemma 4.1 below). So assume the factorization of / is as computed in Step 1, 
and moreover / is squarefree. If any factor does not have a binomial multiple, 
neither can the product. If every irreducible factor does have a binomial mul- 
tiple, Step 5 computes the one with the least degree. The following relates the 
degree of the minimal binomial multiple of the input polynomial to those of its 
irreducible factors. 

Lemma 3.4. Let f G Q[x] be such that f = f\ ■ ■ ■ f u G Q[x] for distinct, 
irreducible f±, . . . , f u G Q[x] . Let fi \ (x mi — r<) for minimal mi G N and G Q, 
and let f \ {x m — r) for r G Q. Then lcm(mi, . . . , m u ) \ m. 

Proof. It suffices to prove that if / | (x m — r) and fi \ (x mi — rj) for minimal mi 
then rrii \ m since any multiple of / is also a multiple of fi . 

Assume for the sake of contradiction that m — crrii +£ for < I < mi. Then 
for any root a,- G C of fi, we have that r = ct m = a cmi ■ a e — r\ ■ a e . Since r 
and ri are both rational, so is a e . Also a 1 = ft 1 for any two roots a, f3 G C of 
fi. Hence fi \ x — a and f < mj, contradicting the minimality of m^. 

Thus m,i | m, and therefore lcm(mi, . . . , m u ) \ m. □ 

Lemma 3.5. For a polynomial f € Q[x] factored into distinct irreducible factors 
/ = /1/2 • • • fu> with fi I [x mi — ri) for r { e Q and minimal such mi, a binomial 
multiple of f exists if and only if I™ 3 = \rj \ m ' for every pair 1 < i, j < u. If 

a binomial multiple exists, the least-degree binomial multiple of f is x m — r™^ m% 
such that m either equals the least common multiple of the m-i or twice that 
number. It can be efficiently checked which of these cases holds. 

Proof. Let G C be a root of fi . For any candidate binomial multiple x m — r 
of /, we have (from Lemma 3.4) that m, | m. 

First, suppose that such a binomial multiple exists: / | (x m — r) with r G Q. 
It is easily seen from a™ 1 = r and a j rli — ri that r,™^ m> = r. Since this holds 
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for any /,-, we see that r™^ m> = r = r" l ^ mj for any 1 < i,j < u. Thus 

\ri\ mi — \ r j\ m ' must hold. 

Conversely, suppose that | t-^ | rri - J = Ir^l™ 1 holds for every pair 1 < i,j < u. 

We get that \ai\ em ' mj — \aj\ mimi , and hence |a|| = |aj| for 
£ = \cm(mi, . . . ,m u ). But af are all rational since 1 1. Thus a? = a| 
for every pair i,j . Thus, there exists a binomial multiple of the original poly- 
nomial of degree 2£. 

To check whether oq — oq holds (or in other words if the degree of the 
binomial multiple is actually the 1cm), it suffices to check whether the sign of 
each oq is the same. This is equivalent to checking whether the sign of each 
r e /" lt is the same. Since we can explicitly compute £ and all the r^, the sign of 
each r^ m * can be easily computed from the sign of n and the parity of £/m,i. □ 

The following comes directly from the previous lemma and the fact that 
Algorithm 3.1 performs polynomially many arithmetic operations. 

Theorem 3.6. Given a polynomial f £ Q[x], Algorithm 3.1 outputs the least- 
degree binomial multiple x m — r™^ m * (with and m/rrii output separately) if 
one exists or correctly reports the lack of a binomial multiple otherwise. Fur- 
thermore, it runs in deterministic time (d + T-L(f))°^ 1 ' ■ 

The constant coefficient of the binomial multiple cannot be output in stan- 
dard form, but must remain an unevaluated power; the next theorem exhibits 
an infinite family of polynomials whose minimal binomial multiples have expo- 
nentially sized degrees and heights. 

Theorem 3.7. For any d > 841 there exists a polynomial / E Z[i] of degree at 
most dlogd and height H(f) < exp(2<ilog d) whose minimal binomial multiple 
x m -a is such that m > exp(Vd) and H(a) > 2 cx p^ . 

Proof. We construct the family from a product of cyclotomic polynomials. Let 
Pi G N be the i th largest prime, and let $ p . = (x Pi — l)/(x— 1) € Z[x] be the 
Pi th cyclotomic polynomials (whose roots are the primitive pi th roots of unity). 
This is well known to be irreducible in Q[x]. 

Let £ — y/2d and g = Yii<i<i ®pi ■ Then, using the fact easily derived from 
Rosser and Schoenfeld (1962), Theorem 3, that ilogi < p L < 1.25ilogi for all 
i > 25 and verifying that {jpi — 1) < 1.5ilogi mechanically for smaller values of 
i, 

1(1 + 1) 



de g9 = £>-!)> E i=^i^>d, 



Ki<t Ki<i 



and 



deg<? = Yhi-l)< V 1.5»Iog<<1.5( ~— - log £ I < dlogd 



Ki<£ Ki<£ 



£ 2 +£. 
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The degree m of the minimal binomial multiple is the 1cm of the order of the 
roots, and hence equal to the product of primes less than or equal to pi. This 
is exp(i?(p^)) (where # is the Chebyshev theta function), and for I > 41 

m > exp(i}( Pe )) > exp(i?(^)) > exp (l - > ex P (/d) > 

for <i > 841, where the bounds on $ are derived from Rosser and Schoenfeld 
(1962) Theorem 4. 

Now let / = g(2x), so the minimal binomial multiple of / is x m — l/2 m . We 
have that 

n(g) < H (1 + Pi ) < 2 l Yl Pi < exp(2*log*) 

i<i<£ i<i<e 

and 

H{f) < 2 dc ^ 9) U{g) < 2 dlogd exp(dlogd + 2V2dlogv / 2d) < exp(2dlogd) 
for all > 841. □ 



4 Computing ^-sparse multiples over Q 

We examine the problem of computing t-sparse multiples of rational polynomi- 
als, for any fixed positive integer t. As with other types of polynomial com- 
putations, it seems that cyclotomic polynomials behave quite differently from 
cyclotomic-free ones. Accordingly, we first examine the case that our input 
polynomial / consists only of cyclotomic or cyclotomic-free factors. Then we 
see how to combine them, in the case that none of the cyclotomic factors are 
repeated. 

Specifically, we will show that, given any rational polynomial / which does 
not have repeated cyclotomic factors, and a height bound c G N, we can compute 
a sparsest multiple of / with height at most c, or conclude that none exists, in 
time polynomial in the size of / and log c (but exponential in t) . 

First, notice that multiplying a polynomial by a power of x does not affect 
the sparsity, and so without loss of generality we may assume all polynomials 
are relatively prime to x; we call such polynomials non-original since they do 
not pass through the origin. 

4.1 The cyclotomic case 

Suppose the input polynomial / is a product of cyclotomic factors, and write 
the complete factorization of / as 

/ ••!•;;•••-!-;;. (4.1) 

where $j indicates the j th cyclotomic polynomial, the L-'s are all distinct, and 
the ej's are positive integers. 
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Now let m — lcm(ii, . . . , ik). Then m is the least integer such that ^ • • • $j fc 
divides x m — 1. Let I — max^ e^, the maximum multiplicity of any factor of /. 
This means that (x m — l) e is an (£+ l)-sparse multiple of /. To prove that this 
is in fact a sparsest multiple of /, we first require the following simple lemma. 
Here and for the remainder, for a univariate polynomial / £ F[x], we denote by 
/' the first derivative with respect to x, that is, i/- 

Lemma 4.1. Let /i € Q[x] be a t-sparse and non- original polynomial, and write 
h = a± + a2X d2 + • ■ ■ + a t x dt . Assume the complete factorization of h over Q[x] 
is h = ath^ 1 ■ ■ ■ ht k , with each hi monic and irreducible. Then max^ ej < t — 1. 

Proof. Without loss of generality, assume h is exactly t-sparse, and each dj 7^ 0. 

The proof is by induction on t. If t — 1 then /i = ai is a constant, so 
maxi = and the statement holds. Otherwise, assume the statement holds 
for (t — l)-sparse polynomials. 

Write the so-called "sparse derivative" h of h as 

ft = -J^i = a 2 d 2 + a 3 d 3 x d3 - d2 + ■ ■ ■ + a t _ 1 d t _ 1 x dt - 1 - d *. 

For any i with ej > 0, we know that h^^ 1 divides -j-h, and hi is relatively 
prime to x' 1 ' 2 ^ 1 since the constant coefficient of h is nonzero. Therefore 
divides /i. By the inductive hypothesis, since h is (t— l)-sparse and non-original, 
ei — 1 < < — 2, and therefore < t—1. Since i was chosen arbitrarily, max^ a < 
t- 1. □ 

An immediate consequence is the following: 

Corollary 4.2. Let / 6 foe a product of cyclotomic polynomials, written 
as in (4.1). Then 

_ j^lcm^i, ...,i k ) _ ^maxtei 

is a sparsest multiple of f . 

Proof. Clearly h is a multiple of / with exactly maxj ej + 1 nonzero terms. By 
way of contradiction, suppose a (max^ ei)-sparse multiple of / exists; call it h. 
Without loss of generality, we can assume that h is non-original. Then from 
Lemma 4.1, the maximum multiplicity of any factor of h is max^ a — 1. But 
this contradicts the fact that each must divide h. Therefore the original 
statement is false, and every multiple of / has at least max; + 1 nonzero 
terms. □ 



4.2 The cyclotomic-free case 

We say a polynomial / G Q[x] is cyclotomic-free if it contains no cyclotomic 
factors. Here we will show that a sparsest multiple of a cyclotomic-free poly- 
nomial must have degree bounded by a polynomial in the size of the input and 
output. 

First we need the following elementary lemma. 
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Lemma 4.3. Suppose f,h£ Q[x] with f irreducible, and k is a positive integer. 
Then f k \h if and only if f\h and f k ^ 1 \h l . 

Proof. The => direction is straightforward. 

For the •<= direction, suppose f\h and / \h' . Let t be the maximum 
multiplicity of / in h, and write h = f l g with g E Q[x] relatively prime to /. 

We can write h' — f (fg' + £f'g). Now, by way of contradiction, assume 
that k > i. Then / divides fg' + if g, and therefore / divides £f'g. But this is 
impossible from the assumption that / is irreducible and relatively prime to g. 
Therefore k < t, and f k \f\h. □ 

The following technical lemma provides the basis for our degree bound on 
the sparsest multiple of a non-cyclotomic polynomial. 

Lemma 4.4. Let f, hi, hi, . . . , hi G Q[as] be non-original polynomials, where f 
is irreducible and non-cyclotomic with degree d, and each hi satisfies deg hi < u 
and %{hi) < c. Also let k, mi, mi, . . . , me, be positive integers such that 

f k \(hix mi + h 2 x rri2 +■■■ + hex" 1 *). 

Then f k divides each hi whenever every "gap length", for 1 < i < I, satisfies 

m i+ i - mi- deg ^>^d- ln 3 (3d) • In (u^c (t - 1)) . (4.2) 

Proof. The proof is by induction on k. For the base case, let k = 1. Then we 
have a separate, inner induction on £. The inner base case, when k = I = 1, is 
clear since / is non-original. Now assume the lemma holds whenever k — 1 and 

1 < I - 1< r for some r > 2. Let gi = h lX mi and g 2 = h 2 H h htx m <— m * , 

so that /| (gi + g 2 x m2 ). Since 

m 2 - deg 5l > id • ln 3 (3d) • ln(c(t - 1)), 

we can apply (Lcnstra, 1999, Proposition 2.3) to conclude that / | gi and / | #2- 
This means / | h\ and, by the inner induction hypothesis, / | hi for 2 < i < i as 
well. Therefore the lemma holds whenever k = 1. 

Now assume the lemma holds whenever I > 1 and 1 < k < s, for some s > 2. 
Next let £ be arbitrary and k = s. So we write f s \(hix mi + • • • + h//x me ). 

The derivative of the right hand side is 

h[x mi + m^ix™ 1 - 1 + ■■■ + h' e x mi + m e h e x mi -\ 

which must be divisible by / s_1 . But by the induction hypothesis, also 
divides each hi, so we can remove all terms with hi from the previous formula 
and conclude that f 8 ' 1 ] (h[x mi +■■■ + h^x™'). 

Since each H(hi) < c and deg hi < u, the height of the derivative satisfies 
T-L{h'i) < uc. A second application of the induction hypothesis therefore shows 
that each h\ is divisible by / a . Since s — 1 > 1, we already know that each hi 
is divisible by /, and then applying Lemma 4.3 completes the proof. □ 
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Our main tool in proving that Algorithm 2.2 is useful for computing the 
sparsest multiple of a rational polynomial, given only a bound c on the height, 
in polynomial time in the size of / and log c, is the following degree bound on 
the sparsest height-bounded multiple of a rational polynomial. 

Theorem 4.5. Let f E Q[x] with deg/ = d be cyclotomic-free, and let t,c E N 
such that f has a nonzero t-sparse multiple with height at most c. Denote by n 
the smallest degree of any such multiple of f. Then n satisfies 

n<2(t-l)BlnB, (4.3) 

where B is the formula polynomially bounded by d, log c, and log t defined as 

B= ^d 2 -ln 3 (3d) -ln(c(i- , (4.4) 

and c — max(c, 35). 

Proof. Let He a t-sparse multiple of / with degree n and height W(h) < c. 
Without loss of generality, assume d > 1, t > 2, and both / and h are non- 
original. 

By way of contradiction, assume n > 2(t — l)BhiB. For any univariate 
polynomial define the gap lengths to be the differences of consecutive exponents 
of nonzero terms. Split h at every gap greater than 2BhiB by writing 

h = h lX mi + h 2 x m2 + ■■■ + h e x me , 

where each hi E Q[x] has nonzero constant term and each gap length satisfies 
Tij+i — TUi — deghi > 2BhiB. Since we split h at every sufficiently large gap, 
and h has at most t nonzero terms, each hi has degree at most u = 2(t—l)B In B. 

We want to show that the gap length 2BlnB is sufficiently large to apply 
Lemma 4.4. For this, first notice that 2B\nB = B\n(B 2 ). Since B is positive, 
B 2 > 2BlnB, so the gap length is greater than B ln(2_B In B). 

Since c > 35, B > 2.357, and then 

{d- l)ln(2BlnB) -ln(c(t - l) d ) > In (^BlnB)^ 1 ■ c(t - l) d ) 

= lnfy*- 1 ^- 1)) . 

Then from the definition of B in (4.4), the gap length satisfies 

2B\nB> B\n{2B\nB) > ^d ■ In 3 (3d) • In (u^c (t - 1)) . 

Finally, notice that the maximum multiplicity of any factor of / is at most 
deg f = d. Thus, using the notation of Lemma 4.4, d> k. Therefore Lemma 4.4 
applies to each factor of / (to full multiplicity) and we conclude that / divides 
each hi. 

But then, since there is at least one gap and I > 1, hi is a multiple of / with 
fewer terms and lower degree than h. This is a contradiction, which completes 
the proof. □ 



1G 



In order to compute the sparsest multiple of a rational polynomial with no 
cyclotomic or repeated factors, we therefore can simply call Algorithm 2.2 with 
the given height bound c and degree bound as specified in (4.3). 

4.3 Handling cyclotomic factors 

Suppose / is any non-original rational polynomial with no repeated cyclotomic 
factors. Factor / as / = fc- fo> where fc is a squarefree product of cyclotomics 
and fo is cyclotomic-free. Write the factorization of fc as fc = • ■ ■ §i k , 
where <!>„ is the n th cyclotomic polynomial. Since every i th root of unity is also a 
(rm) th root of unity for any m G N, fc must divide the binomial 2; lcm l>i,.--,M _^ 
which is in fact a sparsest multiple of fc (Corollary 4.2) and clearly has minimal 
height. 

Then we will show that a sparsest height-bounded multiple of / is either of 
small degree, or can be constructed as a sparsest height-bounded multiple of fn 
times the binomial multiple of fc specified above. Algorithm 4.1 uses this fact 
to compute a sparsest multiple of any such /. 



Algorithm 4.1: Rational Sparsest Multiple 

Input: Bounds t,c £ N and / € Q[x] a non-original polynomial of degree 

d with no repeated cyclotomic factors 
Output: i-sparse multiple h of / with H(h) < c, or "NONE" 

1 Factor / as / = 3?^ • <&i 2 • • • $4 • fo, where fu is cyclotomic-free 

2 n •<— degree bound from (4.3) 

3 h ■<— [i/2j-sparse multiple of fo with H(h) < c and degh < n, using 
Algorithm 2.2 

4 h t-sparse multiple of / with H(h) < c and deg h < n, using 
Algorithm 2.2 

5 if h = "NONE" and h = "NONE" then return "NONE" 

6 else if h — "NONE" or sparsity(ft.) < 2 • sparsity(ft-) then return h 

7 m <- lcm{ii,i 2 , . . . , ik} 

8 return h ■ (x m — 1) 



Theorem 4.6. Let f 6 Q[x] be a degree-d non-original polynomial with no re- 
peated cyclotomic factors. Given f and integers c and t, Algorithm 4-1 correctly 
computes a t-sparse multiple h of f satisfying 11(h) < c, if one exists. The spar- 
sity of h will be minimal over all multiples with height at most c. The algorithm 
requires (dlogc)° (t) • 2°( tlogt ) • (logH(/))° (1) bit operations. 

Proof. Step 1 can be accomplished in the stated complexity bound using Lenstra 
ct al. (1982). The cost of the remaining steps follows from basic arithmetic and 
Theorem 2.4. Define h to be sparsest multiple of / of least degree that satisfies 
H(h) < c. We have two cases: 
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Case 1: degh < n. Then the computed h must equal h. Furthermore, since 
this is the sparsest multiple, either h does not exist or the sparsity of h is 
greater than or equal to the sparsity of ft.. So h = h is correctly returned 
by the algorithm in this case. 

Case 2: dcgft > n. Then, using Lemma 4.4, since fu | h, h can be written 
h = hi + x l h 2 , for some i > deghi, and fr> divides both h\ and h 2 . 
By Theorem 2.4, sparsity(Zi) must then be less than or equal to each 
of sparsity(Zii) and sparsity(/i2). But since sparsity(ft) = sparsity(fti) + 
sparsity(/i2), this means that the sparsity of h ■ (x m — 1) is less than or 
equal to the sparsity of h, and hence this is a sparsest multiple. 

□ 

4.4 An example 

Say we want to find a sparsest multiple, with coefficients at most 1000 in absolute 
value, of the following polynomial over Z[x]. 

f = x 10 - 5x 9 + 10a; 8 - 8x 7 + 7x 6 - 4x 5 + 4x 4 + x 3 + x 2 - 2x + 4 

Note that finding the sparsest multiple would correspond to setting t = 10 in 
the algorithm (since the least-degree 11-sparse multiple is / itself). To accom- 
plish this, we first factor / using (Lenstra et al., 1982) and identify cyclotomic 
factors: 

/ = (x 2 -x + l) - (x 4 - x 3 + x 2 - x + 1) ■ (x 4 - 3x 3 + x 2 + 6x + 4) . 

*6 *10 /d 

Next, we calculate a degree bound from Theorem 4.5. Unfortunately, this 
bound is not very tight (despite being polynomial in the output size); using 
t = 10, c = 1000, and / given above, the bound is n < 11 195 728. So for this 
example, we will use the smaller (but artificial) bound of n < 20. 

The next step is to calculate the sparsest 5-sparse multiple of fn and 10- 
sparse multiple of / with degrees at most 20 and heights at most 1000. Using 
Algorithm 2.2, these are respectively 

h = x 12 + 259a; 6 + 64 

h = x 11 - 3x w + 12a; 8 - 9a; 7 + 10a; 6 - 4.i 5 + 9a; 4 + 3a; 3 + 8. 
Since the sparsity of h is less than half that of h, a sparsest multiple is 

h = (x 12 + 259a; 6 + 64) • ( x lcm ( 6 < 10 > - 1) 
= x 42 + 259a; 36 + 64a; 30 - x 12 - 259a; 6 - 64. 
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5 Sparse multiples over ¥ q 



We prove that for any constant t, finding the minimal degree t-sparse multiple 
of an / £ ¥ q [x] is harder than finding orders of elements in ¥ q i . Order finding 
is reducible to integer factorization and to discrete logarithm, but reductions 
in the other direction are not known for finite fields (Adleman and McCurley, 
1994). However, at least for prime fields and assuming the Extended Riemann 
Hypothesis, a fast algorithm for order finding in finite fields would give an 
efficient procedure for computing primitive elements (Wang, 1959; Shoup, 1992). 
The latter problem is regarded as "one of the most important unsolved and 
notoriously hard problems in the computational theory of finite fields" (von zur 
Gathen and Shparlinski, 1999). 

Formal problem definitions are as follows: 

SpMuly (/, n): Given a polynomial / £ ¥ q [x] and an integer n £ N, determine 
if there exists a (nonzero) 2-sparse multiple h £ ¥ q [x] of / with degh < n. 

Orderp^e (a, n): Given an element a £ F*„ and an integer n < q e , determine if 
there exists a positive integer m < n such that a m = 1. 

The problem Orderp e (a, n) is well-studied (see for instance Meijer (1996)), and 
has been used as a primitive in several cryptographic schemes. Note that an 
algorithm to solve Orderp^ (a, n) will allow us to determine the multiplicative 
order of any a £ F* e (the smallest nonzero m such that a m = 1) with essentially 
the same cost (up to a factor of 0(elog<7)) by using binary search. 

The reduction from Order^,. (a, n) to SpMul F (/, n) works as follows: Given 
an instance of Orderp c (a, n), we first check if the order o a of a is less than t 
by brute-force. Otherwise, we construct the minimal polynomial g a i (over F g ) 
for each a , a 1 , a 2 , ... , a* -1 . We only keep distinct g ai , and call the product of 
these distinct polynomials f a ,t- We then run the SpMul F *^ (/, n) subroutine to 
search for the existence of a degree n, ^-sparse multiple of the polynomial j a ,t- 

Theorem 5.1. Let a £ ¥ q be an element of order at least t. Then the least 
degree t-sparse multiple of j a .t is x° a — 1 where o a is the order of a. 

Proof. It is easy to see that x° a — 1 is a multiple of the given polynomial. We 
need to prove that it is actually the least-degree t-sparse multiple. 

By equation (2.2) in Section 2, a degree n multiple h of f a ^ corresponds to 
the following set of linear equations: 



1 


1 


1 • 


1 




h 


1 


a 


a 2 ■ 






hi 


1 


a 2 


a 4 • 








1 


a 1 


a 2t ■ 


gtn—t 







= 0. 



A{fa,t,n) 



19 



To prove that no i-sparse multiple h of degree less than o a exists, it suffices 
to show that any t columns of A(f a ^, o a — 1) are linearly independent. Consider 
the (t x £)-matrix corresponding to some choice of t columns: 



B = 



1 1 



-J If 



This Vandermonde matrix B has determinant IIi<7<fc<i( a ** — a * j ) which is 
nonzero since ij < it < o a and hence a lj ^ a lk . Thus the least-degree i-sparse 
multiple of the given polynomial is x° a — 1. □ 

Of cryptographic interest is the fact that the order-finding polynomials in the 
reduction above are sufficiently dense in ¥ q [x] that the reduction also holds in the 
average case. That is, an algorithm for sparsest multiples that is polynomial- 
time on average would imply an average case polynomial-time algorithm for 
order finding in ¥ q d . 

Next we give a probabilistic algorithm for finding the least degree binomial 
multiple for polynomials / G ¥ q . This algorithm makes repeated calls to an 
Orderp^e (a, n) (defined in the previous section) subroutine. Combined with 
the hardness result of the previous section (with t=2), this characterizes the 
complexity of finding least-degree binomial multiples in terms of the complexity 
of Orderj^,. (a, n), upto randomization. 

Algorithm 5.1 solves the binomial multiple problem in ¥ q by making calls to 
an Orderp „ (a, n) procedure that computes the order of elements in extension 

(2) 

fields of ¥ q . Thus SpMuL) ; (/) reduces to Orderj^,. (a, n) in probabilistic poly- 
nomial time. Construction of an irreducible polynomial (required for finite field 
arithmetic) as well as the factoring step in the algorithm make it probabilistic. 

Theorem 5.2. Given f £ F g [a;] of degree d, Algorithm 5.1 correctly computes a 
binomial multiple h of f with least degree. It uses at most d 2 calls to a routine 
for order finding in ¥ q c, for various e < d, and d ^ 1 ' other operations in ¥ q . It 
is probabilistic of the Las Vegas type. 

Proof. As a first step, the algorithm factors the given polynomial into irreducible 
factors. Efficient probabilistic algorithms for factoring polynomials over finite 
fields are well-known (von zur Gathen and Gerhard (2003)). 

First, suppose the input polynomial / is irreducible, i.e. I = e± = 1 in 
Step 1. Then it has the form / = (x — a)(x — a q ) ■ ■ ■ (x — a q ) for some 
a € ¥ q d, where d = deg/. If / = (x — a), the least-degree binomial multiple is 
/ itself. Therefore, assume that d > 1. Let the least-degree binomial multiple 
(in F 9 [at]) be x n - P 

Since both a and a q are roots of (x n — j3), we have that a™ = a nq and 
a n[q-i) — i Thus, the order o a of a divides n(q — 1). The minimal n for which 
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Algorithm 5.1: Least degree binomial multiple of / over ¥ q 
Input: / e F q [x] 

Output: The least degree binomial multiple ft of / 

1 Factor / = x h f{ x ■ /| 2 • f%* for irreducible fa, ■ ■ . , fa €¥ q [x], and set 
di <- deg fi 

2 for i = 1, 2, . . . ,£ do 

3 a, 4— x £ ¥ q [x]/(fi), a root of /, in the extension F^ 

4 Calculate Oi, the order of a t in F g [x] /(/,). 

5 rii 4— lcm({oi/ gcd(o,;, g — 1)}) for all i such that > 1 

6 ri2 <— lcm({order(ai/aj)}) over all 1 < i,j ' < u 

7 n <— lcm(ni, n 2 ) 

8 ft <- (sc n - a?) 

9 e <— [logp max ei\ , the smallest e such that p e > e, for all i 
10 return ft = x b (x n — a™) p 



o a | n(g — 1) is n = gcd ( ° a g _ 1 ) ■ Since this n ensures that a" = a nq , it also 

simultaneously ensures that each a q is also a root. 

Notice that this n equals n\ computed on Step 5, and ni computed on Step 6 
will equal 1, so the algorithm is correct in this case. 

Now suppose the input polynomial / is reducible. The factorization step 
factors / into irreducible factors / = fl 1 /| 2 • • • f% e . Let / = fx fa ■ ■ ■ fe denote 
the squarefree part of /. 

Being irreducible, each /, has the form fa(x) — (x— Of)(x— a|) • • • (x~a g ) 
for some a\ € ¥ q d, and di = deg fa. We make two observations: 

• If f{x) | x n — a for some a E ¥ q , we have that a™ = a™ for all 1 < i,j < £, 
and hence that (f 1 )™ = 1. Thus order(^ L ) \ n. The least integer satisfying 
these constraints is n 2 computed on Step 6. 

• As before for the case when the input polynomial is irreducible and of 
de gree more than one: di > 1 implies that g CC [( 0, g_i) I n for o; the order 
of di. The least integer satisfying these constraints is nx computed on 
Step 5. 

The minimal n is the least common multiple of all the divisors obtained 
from the above two types of constraints, which is exactly the value computed 
on Step 7. The minimal degree binomial multiple of / is x n — a™. 

It is easily seen that for the smallest e such that p e > e^, (x n — a n ) p is a 
binomial multiple of /. We now show that it is actually the minimal degree 
binomial multiple. Specifically, let e be the smallest non-negative integer such 
that p e > maxe^; we show that the minimal degree binomial multiple of / is 
(x n — et") p for n obtained as above. 

Let the minimal degree binomial multiple of / be x n — b. Factor n as n = np c 
for maximal c, and write (x n — b) as (x n — b 1 ^ ) p . The squarefree part of 
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/, / divides (x n — b 1 ^"), and hence (by constraints on and minimality of n) 
\x n - a?) | - 6 1 / pC ). Thus n > n. 

Since c is chosen maximally, p does not divide n, and hence x* - b^ pC is 
squarefree. Using this and the fact that / divides (x n — b 1 / pC ) p ° , it is seen that 
P c > e, holds for all e i; and hence p c > p e . This, along with n > n, completes 
the proof that (x n — a") p is the minimal degree binomial multiple of /, which 
completes the proof of the theorem. □ 

6 Conclusion and Open Problems 

To summarize, we have presented an efficient algorithm to compute the least- 
degree binomial multiple of any rational polynomial. We can also compute 
i-sparse multiples of rational polynomials that do not have repeated cyclotomic 
factors, for any fixed t, and given a bound on the height of the multiple. 

We have also shown that, even for fixed t, finding a t-sparse multiple of 
a degree-d polynomial over ¥ q [x] is at least as hard as finding the orders of 
elements in ¥ q d. In the t = 2 case, there is also a probabilistic reduction in the 
other direction, so that computing binomial multiples of dcgree-<i polynomials 
over ¥ q [x] probabilisticly reduces to order finding in ¥ q d. 

Several important questions remain unanswered. Although we have an un- 
conditional algorithm to compute binomial multiples of rational polynomials, 
computing i-sparse multiples for fixed t > 3 requires an a priori height bound 
on the output as well as the requirement that the input contains no repeated 
cyclotomic factors. Removing these restrictions is desirable (though not neces- 
sarily possible). 

Regarding lower bounds, we know that computing t-sparse multiples over 
finite fields is at least as hard as order finding, a result which is tight (up to 
randomization) for t = 2, but for larger t we believe the problem is even harder. 
Specifically, we suspect that computing i-sparse multiples is NP-complctc over 
both Q and ¥ q , when t is a parameter in the input. 
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A Finding short vectors in lattices 

In Section 2.1, we presented Algorithm 2.1 to find the shortest vector in the 
image of an integer matrix. This appendix is devoted to proving the correctness 
of this algorithm, culminating in the proof of Theorem 2.1. Again, the results 
here are due to the presentation of Ajtai et al. (2001) by Regev (2004), with 
modifications to accommodate the infinity norm. 

For any lattice C, define s(C) — min 1)S £ |M| 2 to be the least I2 norm of any 
vector in L. If L satisfies 2 < s(C) < 3, and B is a basis for C, then we will 
show that the main for loop in Steps 3-24 of Algorithm 2.1 finds a vector in 
C with minimal l^ norm, with high probability. The for loop on line 3 adapts 
this to work for any lattice by scaling. More precisely, given a lattice C, we first 
run the algorithm of Lenstra et al. (1982) to get an approximation A for the 
shortest I2 vector in C satisfying s(C) < ||A|| 2 < 2 n s(C). For each k from 1 to 
2n, we then run the for loop with basis Bj. for the lattice (1.5 fe / ||A|| 2 ) ■ C For 
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some k in this range, 2 < s(Bj~) < 3 must hold, and we will show that for this 
k, the vector Vk set on Step 24 is the l^ shortest vector in the image of Bk with 
high probability. For every k, Vk is a vector in the image of Bk, and hence it 
suffices to output the shortest l^ vector among {(|| A|| 2 /1.5 h )v k } on Step 25. 

We will now prove that the vector v k set on Step 24 is with high probability 
the shortest Zoo vector in the image of B, when B is a basis for a lattice C such 
that 2 < s(C) < 3. 

To find the shortest l^ vector in a lattice, it suffices to consider all lattice 
vectors of I2 norm at most y/n times the norm of the shortest h vector. Al- 
gorithm 2.1 achieves this by running the main body of the loop with different 
values of 7. In a particular iteration of the outermost loop, with high prob- 
ability, the algorithm encounters all lattice vectors v with I2 norm satisfying 
(2/3) • ||f|| 2 < 7 < ||u|| 2 - Call all such v interesting. By iterating over a suitable 
range of 7, it returns the shortest vector among all the interesting vectors, 
which with high probability is the shortest 1^ vector in the lattice. 

For a particular iteration of the loop (with a fixed 7) , the algorithm uniformly 
samples a large number of vectors from an appropriately sized ball. In fact, the 
algorithm works even if an almost-uniform sampling over rational vectors with 
bit lengths bounded by (log||£?|| + n) 0< ^> is performed. This is because the 
size of sufficiently small lattice vectors is only a polynomial in the size of the 
basis vectors. For the rest of this subsection, "arithmetic operations" means 
operations with rational numbers of this size. 

After sampling, the algorithm performs a series of sieving steps to ensure that 
at the end of these steps the algorithm is left with lattice vectors of sufficiently 
small I2 norm. Using a probabilistic argument, it is argued that all interesting 
vectors are obtained. 

The following lemma proves the correctness of the sieving steps. These 
correspond to Steps 13 to 17 of the algorithm. At the end of this sieving, the 
algorithm produces a set J of size at most 5™. 

Lemma A.l. Given S C {l,...,m} such that for all i € S, yi G R" and 

\\yiW2 — r > Steps 13-11 efficiently compute the following: a subset J C S of size 
at most 5" and a mapping rj : S \ J J such that \\yi — y Vi \\ 2 < r/2. 

Proof. Initially the set J is empty. The algorithm iterates over the points yi 
with i £ S, adding i to J only if minj € j(\\yj — yi\\ 2 ) > r /%- F° r i ^ J, it sets 
r/i to a j € J such that \\yj — yi\\ 2 < r/2. 

It is clear that this procedure runs in polynomial time. To see that the size 
of J is at most 5™, note that all the balls of radius i?/4 and centered at yj 
for j € J are disjoint by construction of J. Also, these balls are contained in 
a ball of radius R + R/A since \\yi\\ 2 < R- Thus the total number of disjoint 
balls, and hence the size of J, can be bounded above by comparing the volumes: 
I J| < ((5i?/4)/(i?/4)) n = 5". □ 

The algorithm views every sampled vector perturbation of a lattice 

vector Xi — yi for some yi. The idea is the following: initially yi is calculated so 
that perturbation of some large lattice vector. Iteratively, the algorithm 
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either obtains shorter and shorter lattice vectors corresponding to Xi, or discards 
Xi in some sieving step. At all stages of the algorithm, Xi — yi is a lattice vector. 
The following two lemmas concretize these observations. 

Lemma A. 2. {yi} can be found efficiently in Step 11; and {xi — yi} C £. 

Proof. For a fixed Xi, yi is set to (xi mod V(B)) where V(B) denotes all vectors 
contained in the parallelogram {Y^i=i a ^i I < < l}, with bi being the 
given basis vectors. Thus yi is the unique element in V(B) such that yi = Xi — v 
for v € C. From this definition of yi, we get that Xi — yi £ C for every i. 

To calculate t/, efficiently, simply represent rational linear combination 

of the basis vectors {bi} and then truncate each coefficient modulo f . □ 

Lemma A.3. F 7 C C D B„(0, 37 + 1). 

Proof. By Lemma A. 2, (xi — y.-i) s C for all i s S before the start of the loop. It 
needs to be proved that the same holds after the loop, and furthermore, all the 
resulting lattice vectors lie in B„(0, 37 + 1). Whenever the algorithm modifies 
any yi, it sets it to yi + x v ^ — y^uy, and thus a lattice vector (x* — yi) changes 
into (xi — yi — (%n(i) ~ Vr/H))- Since both of the terms are lattice vectors, so is 
their difference. Thus Y 1 C C. 

We will now show that the invariant ||j/i|| 2 < r is maintained at the end 
of every iteration. This suffices to prove that x\ — yi € B„(0, 37 4- 1) because 
Xi e B„(0,7) and ||yj|| 2 < 27 + 1 by the loop termination condition. 

Initially, t/j = Y^j=i a j^j f° r some coefficients ctj satisfying < ay < 1. 
Thus || y || 2 < \\bj\\ 2 < nmaxj ||^'|| 2 j the initial value of r. Consider now 
the result of the change yi — ¥ yi + x ni — y^. We have that \\yi + x Vi — y Vi || 2 < 
\\Vi ~ Vvi II 2 + \\ x Vi II 2- The nrst °f these terms is bounded by r/2 because of 
choice of r\i in Lemma A.l. From ||:Ej|| 2 < 7, we get that ||j/i|| 2 < r/2 + 7. Since 
the value of r gets updated appropriately, the invariant \\yi\\ 2 < r is maintained 
at the end of the loop. □ 

The following crucial lemma says that Y 7 can be used to compute all inter- 
esting vectors: 

Lemma A. 4. Let v € C be a lattice vector such that (2/3) • ||w|| 2 < 7 < \\v\\ 2 . 
Then, with probability at least 1 — l/2°^ n \ 3w G C such that V 7 contains both 
w and w ± v. 

Using this lemma, we can prove our main theorem, which we restate from 
Section 2.1: 

Theorem. (Theorem 2.1) 

Given a lattice basis U <= Z" xd , Algorithm 2.1 returns the shortest loo vector in 
the lattice of U , with probability at least 1 - 1/2°^, using 2°(™ lo s n ) • ||J7||° (1) 
bit operations. 
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Proof. Define to be the basis B set on Step 4 at iteration k through the for 
loop on line 3. For correctness, consider the iteration k such that the lattice 
£ of Bk satisfies 2 < s(C) < 3, which we know must exist from the discussion 
above. 

Denote by the shortest nonzero vector in C under the norm. We have 
that ?2(woo) < \fn ■ lco(vco) < y/n ■ l<x>(v) < V™ ■ h(v), for any nonzero vector 
v £ C. Hence, the I2 norm of the shortest loo vector is at most y/n times the I2 
norm of the shortest l 2 vector. 

Since the length s(C) of the shortest I2 vector is assumed to satisfy 2 < 
s(C) < 3, we have that the l 2 norm of satisfies HU00II2 < 3\/n. Therefore at 
least one iteration of the while loop on line 7 has (2/3) • ||foo|| 2 < 7 < ll^ool^i 
and by Lemma A. 4, with high probability some Yy contains w and w ± Voo for 
some w £ C. Since the algorithm computes the differences of the vectors in F 7 , 
it sets vt to Voo on Step 24 with high probability. 

For the cost analysis, consider a single iteration of the while loop on line 7. 
The value of r is bounded by [n ■ \\U\\)°^ . The value of m is bounded by 
2 o(nio g7 ) logr0; which ig in turn bounded by 2°( nlo s") • ||?7|| 0(1) because 7 G 
0(y/n). Since the number of sieving steps is O(logr ) € 0(m), the total cost of 
a single iteration of the while loop is m ^ 1 . The total number of iterations of 
the while loop is O(logn) € 0(m), and there are exactly 2n £ 0(m) iterations 
of the outer for loop. Each arithmetic operation costs (n ■ \\U\\) ^ £ 0(m), so 
the total cost is m ot ^\ which gives the stated bound. □ 

To prove Lemma A. 4, a probabilistic argument will be employed. The proof 
can be broken into three steps. First, we identify a set of good points from 
the sampled points, and argue that this set is large. Next, we argue that there 
must exist a lattice point which corresponds to numerous good points. Finally, 
we argue that an imaginary probabilistic step does not essentially change the 
behaviour of the algorithm. Combined with the existence of a lattice point 
corresponding to many good points, this imaginary step allows us to argue that 
the algorithm encounters both w and w ± v for an appropriate interesting v. 

Let v be an interesting lattice vector. That is, (2/3) • d < 7 < d for d = 
\\v\\ 2 . For the iteration where the algorithm uses a value of 7 in this range, we 
will denote by C\ the points in the set B„(t>,7) n B„(0,7). Similarly, C2 = 
B„(— v,y) n B„(0,7). By choice of 7, C\ and C2 are disjoint. We will call the 
points in C\ U C2 good. The following lemma shows that probability of sampling 
a good point is large. 

Lemma A.5. Pr[x l £ d] > 2~ 2n . 

Proof. The radius of both B„(0, 7) and B„(u, 7) is 7. The distance between the 
centers is d — \\v\\ 2 . Thus the intersection contains a sphere of radius 7 — ^/2 
whose volume gives a lower bound on the volume of C\. Comparing with the 
volume of B„(0,7) and using the fact that 7 > (2/3) • d, we get that 
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Informally, the following lemma says that if S is large at the end of the inner 
loop, the set {xi — yi} has many repetitions and hence is never very large. 

Lemma A.6. |Y 7 | < (37 + 2)™. 

Proof. The points in C are separated by a distance of at least 2 since we assumed 
s(C) > 2. Hence balls of radius 1 around each lattice point are pairwise disjoint. 
If we consider only the balls corresponding to points in Yy, all of them are 
contained in a ball of radius 37+2 since Y 7 C B„(0, 37+1) by Lemma A. 2. Thus 
the total number of points in Y 1 is at most Vol(B„(0, 37 + 2))/ Vol(B„(0, 1)) = 
(3 7 + 2)". □ 

The following lemma argues that there must be a lattice point corresponding 
to many good points. 

Lemma A. 7. With high probability, there exists w € Y 7 and I C S such that 
\I\ > 2 3 ", and for all i £ I , Xi £ C\ U C2 and w = Xi — yi. 

Proof. Since Pr[xi € C\ U C2] is at least 2~ 2n by Lemma A. 5, and the number 
of points sampled is |"2( 7+ r io s(T)D™ fogr ] , the expected number of good points 
sampled at the start is at least 2^ 5+ ^° e ^' 1 ^ n logr . The loop performs logro 
iterations removing (by Lemma A.l) at most 5™ points per iteration. The total 
number of good points remaining in S after the sieving steps is (2( 5+ ^ og ( 7 ^)™ — 
5") logr > 2( 2 +r io s(T)D™ logr since 5" < 2 3n . 

By Lemma A.6, |F 7 | < (37 + 2)™. Since 37 + 2 < 4 7 for 7 > (3/2) 2 , 
|Y 7 | < 2( 2+1 °s(t»". Hence, there exists a w £ Yy corresponding to at least 

2 (4+riog(7)l)n logro / 2 (2+log(7))« > 2 3« g00( i points. □ 

The final step in the analysis is to argue that for such a w £ Y 7 , we must 
also have that w ± v £ Y 7 with high probability for an interesting v £ C. 
Proof of Lemma A. 4 

Consider the iteration where 7 satisfies (2/3) ■ ||u|| < 7 < \\v\\ for an inter- 
esting lattice vector v. 

It can be easily seen that x G G\ if and only if x — v £ C2. Consider an 
imaginary process performed just after sampling all the xi. For each Xi £ C\, 
with probability 1/2, we replace it with x — v £ C^. Similarly, for each x £ C2, 
we replace it with x + v £ C\. (This process cannot be performed realistically 
without knowing v, and is just an analysis tool.) The definition of yi is invariant 
under addition of lattice vectors v £ C to Xi, and hence the yi remain the same 
after this process. 

Since the sampling was done from the uniform distribution and since (x £ 
C\) (x — v £ C2) is a bijection, this process does not change the sampling 
distribution. 

We may postpone the probabilistic transformation x^ <-> (xi — v) to the time 
when it actually makes a difference. That is, just before the first time when Xi 
is used by the algorithm. The algorithm uses Xi in two places. For i £ J during 
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the sieving step, we perfom this transformation immediately after computation 
of J. Another place where Xi is used is the computation of Y 1 . We perform this 
transformation just before this computation. 

In the original algorithm (without the imaginary process), by Lemma A. 7, 
there exists a point w € Y 1 corresponding to at least 2 3n good points. Let {x^} 
be this large set of good points. With high probability, there will be many Xi 
which remain unchanged, and also many xi which get transformed into x\ ± v. 
Thus, Ky contains both w and w ± v with high probability. 
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